Java-based Remote Access Trojan More Active
Posted by: Timothy Weaver on 04/17/2017 07:52 PM
[
Comments
]
Miscreants are using a Java-based remote access trojan variant in order to open a backdoor for attackers to remotely gain control of an infected system.
The malware takes the usual method of coming in the form of a phishing email with an attachment. The emails can come in the form of a tax notice supposedly sent by the IRS. Others are purportedly purchase orders. In either case, clicking on the attachment and the jRAT payload is transferred to the target machine.
"We have seen multiple campaigns, such as purchase orders, invoices, tracking notices, etc., where jRAT was involved," Sameer Patil of the ThreatLabZ research team reported. The most significant iteration was using the IRS theme that started in the last week of March, he said.
"There were a few other unusual aspects to this malware," Patil added. "First, the majority of the payloads were being delivered over SSL using media/file sharing services like Dropbox. Another novel aspect was the multiple layers of packing combined with the highly obfuscated code-end payload in order to evade detection and hinder manual/automated analysis and reverse engineering. The malware author has also accounted for the operating system's bit-ness by embedding both 32-bit and 64-bit DLLs in the JAR payload."
The campaign is still active and using current events as hooks.
Source: SCMagazine
The malware takes the usual method of coming in the form of a phishing email with an attachment. The emails can come in the form of a tax notice supposedly sent by the IRS. Others are purportedly purchase orders. In either case, clicking on the attachment and the jRAT payload is transferred to the target machine."We have seen multiple campaigns, such as purchase orders, invoices, tracking notices, etc., where jRAT was involved," Sameer Patil of the ThreatLabZ research team reported. The most significant iteration was using the IRS theme that started in the last week of March, he said.
"There were a few other unusual aspects to this malware," Patil added. "First, the majority of the payloads were being delivered over SSL using media/file sharing services like Dropbox. Another novel aspect was the multiple layers of packing combined with the highly obfuscated code-end payload in order to evade detection and hinder manual/automated analysis and reverse engineering. The malware author has also accounted for the operating system's bit-ness by embedding both 32-bit and 64-bit DLLs in the JAR payload."
The campaign is still active and using current events as hooks.
Source: SCMagazine
Comments
